Вы находитесь на странице: 1из 35

Previous Issue: 24 October 2009 Next Planned Update: 4 December 2017

Page 1 of 35
Primary contact: Brell, Austin on 966-3-8801832

CopyrightSaudi Aramco 2012. All rights reserved.

Engineering Procedure
SAEP-250 4 December 2012
Safety Integrity Level Assignment and Verification
Document Responsibility: Process Control Standards Committee







Saudi Aramco DeskTop Standards

Table of Contents

1 Scope........................................................ 2
2 Conflicts and Deviations............................ 2
3 Applicable Documents............................... 3
4 Definitions.................................................. 4
5 Instructions..... 7
6 Responsibilities....................................... 17

Appendix A - Required SIL Assignment
Report Contents............................... 20
Appendix B - Required SIL Verification
Report Contents............................... 22
Appendix C - Responsibilities for Engineering.. 24
Appendix D - SIF Specification Sheet............... 25
Appendix E - Risk Matrix Worksheet................ 26
Appendix F - LOPA Worksheet......................... 27
Appendix G - SIL Risk Matrix............................ 28
Appendix H - Quantitative Risk Targets............ 29
Appendix I - IPL Rule Sets................................ 30
Appendix J , K - Test Interval Guidelines........... 31
Appendix L - Beta Factors................................ 33
Appendix M - General Notes............................. 34



Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 2 of 35

1 Scope
This Saudi Aramco Engineering Procedure provides procedures and guidelines for
the assignment and verification of Safety Integrity Levels (SIL) for ESD safety
instrumented functions (SIF) and the analysis of the spurious trip rate (STR) that
results by introducing an ESD safety instrumented function into the process facility.
The procedure applies a risk based approach to safety instrumented functions to
validate that the design of safety systems in Saudi Aramco are adequate to protect
personnel, environment and assets against potentially hazardous situations. The risk
based approach for SIL assignment and verification is required by SAES-J-601
based on industry standard IEC 61511. This procedure is to be used for new
facilities and modifications to existing facilities with safety instrumented functions.
The document provides the Saudi Aramco tolerable risk targets, recommended data
sources for commonly used control, instrument and process equipment, a typical SIF
specification sheet, and recommended testing intervals for sensors and ZVs.
The document also defines the roles and responsibilities for LPD, Proponent
Department, Project Management and P&CSD.
HIPS are a form of ESD and shall follow the same calculation procedures outlined
in this document and SAEP-354, High Integrity Protective Systems Design
Requirements.
As a minimum SIL studies shall be updated when changes are made to the facilities,
and when major modifications to the data basis, models or SIL estimating methods
occur.
2 Conflicts and Deviations
2.1 Any conflicts between this Procedure and other applicable Saudi Aramco
Engineering Procedures (SAEPs), Saudi Aramco Engineering Standards
(SAESs), Saudi Aramco Materials System Specifications (SAMSSs), Saudi
Aramco Standard Drawings (SASDs), or industry standards, codes, and
forms shall be resolved in writing by the Company or Buyer Representative
through the Manager, Process & Control Systems Department of Saudi
Aramco, Dhahran.
2.2 Direct all requests to deviate from this Procedure in writing to the Company
or Buyer Representative, who shall follow internal company procedure
SAEP-302 and forward such requests to the Manager, Process & Control
Systems Department of Saudi Aramco, Dhahran.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 3 of 35

3 Applicable Documents
All referenced Procedures, Standards, Specifications, Codes, Forms, Drawings, and
similar material or equipment supplied shall be considered part of this Procedure to
the extent specified herein and shall be of the latest issue (including all revisions,
addenda, and supplements) unless stated otherwise.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
SAEP-354 High Integrity Protective Systems
Saudi Aramco Engineering Standards
SAES-J-002 Technically Acceptable Instrument
Manufacturers
SAES-J-601 Emergency Shutdown & Isolation Systems
SAES-Z-002 Technically Accepted Process Automation
Systems
3.2 Industry Codes and Standards
The Instrumentation, Systems, and Automation Society (ISA)
ISA TR84.00.02 Safety Instrumented Functions Evaluation
Techniques
The International Electrotechnical Commission (IEC)
IEC 61508 Functional Safety of
Electrical/Electronic/Programmable
Electronic Safety-related Systems
IEC 61511 Functional Safety Safety Instrumented
Systems for the Process Industry Sector
Reliability Data Sources
OREDA Offshore Equipment Reliability Handbook
EXIDA Safety Equipment Reliability Handbook
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 4 of 35

4 Definitions
4.1 Acronyms
DCF Diagnostic Coverage Factor
ESD Emergency Shutdown System
ETA Event Tree Analysis
FTA Fault Tree Analysis
HAZOP Hazards and Operability Study
HIPS High Integrity Protective System
IO Input/Output
IPL Independent Protection Layer
LOPA Layers of Protection Analysis
LPD Loss Prevention Department
P&CSD Process and Control Systems Department
PFD
avg
Probability of Failure on Demand Average
PHA Preliminary Hazard Analysis
QRA Quantitative Risk Assessment
SAPMT Saudi Aramco Project Management Team
SIL Safety Integrity Level
SIF Safety Instrumented Function
SIS Safety Instrumented System
SFF Safe Failure Fraction
SRS Safety Requirements Specification
STR Spurious Trip Rate
TI Test Interval
T&I Test and Inspection
UPS Uninterruptible Power Supply
ZV Power Operated Emergency Isolation Valve
4.2 Definition of Terms
Beta Factor (: The number of common cause failures expressed as a
fraction of all possible failures. A common mode failure is a failure that may
affect duplicate components in redundant configurations.
Dangerous Failure (
D
): Component failures that will prevent the safety
instrumented function from safely shutting down and isolating the process.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 5 of 35
Dangerous failures consist of dangerous detected and dangerous undetected
failures.

D
: The failure rate for a dangerous failure of a component.

D
=
DD
+
DU

D
= 1/MTTF
D

DD
: The failure rate for a dangerous detected failure of a component.

DU
: The failure rate for dangerous un-detected failure of a component.
Demand: A process or equipment condition which requires the safety
instrumented function to take action to prevent a hazardous situation.
Diagnostic Coverage Factor (DCF): The number of dangerous failures that
diagnostic features are capable of detecting as a fraction of all possible
dangerous failures.
Emergency Shutdown System (ESD): A system composed of sensors,
logic solvers, and final control elements for the purpose of taking the
process, or specific equipment in the process to a safe state when
predetermined conditions are violated. The system is designed to isolate, de-
energize, shutdown or depressure equipment in a process unit. Another term
commonly used throughout the hydrocarbon and petrochemical industry is a
Safety Instrumented System (SIS).
Failure: An abnormal situation that prevents the operation of the safety
instrumented function/s.
Final Control Element: A device that manipulates a process variable.
Final elements include valves, relays, solenoids and switchgear.
Hardware Fault Tolerance: The ability of the system and SIF components
to continue to perform the required function in the presence of one of more
faults. A hardware fault tolerance of 1 means that the system will perform
the required function with the presence of a single fault.
Initiator: The input measuring device that initiates a trip signal to the ESD
system. Initiators include switches, transmitters and manual pushbuttons.
Inherent Safety: A design that avoids the hazards instead of controlling
them, by minimizing the amount of hazardous material present, substituting
the material with a material less hazardous, moderating the affect through
dilution or pressure reduction and to simplifying the design where practical
to minimize equipment and process failure.
Logic Solver: The system that is used to perform the shutdown application
logic. Logic solvers may be programmable controller based, relay based or
solid state.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 6 of 35
Mechanical Integrity: is the suitability of the equipment to operate safely
and reliably under normal and abnormal (upset) operating conditions to
which the equipment is exposed.
MTBF: Mean Time Between Failure is the expected time between
failures of a systems component including its time to repair.
MTBF = MTTF + MTTR
MTTF: Mean Time To Failure is the expected time to failure of a systems
component in a population of identical components.
MTTR: Mean Time To Repair is the statistical average of time taken to
identify and repair a fault (including diagnosis), in a population of identical
systems.
Probability of Failure on Demand (PFD
avg
): The probability that the SIF
fails to respond to a process demand or a manual initiation.
PFD
avg, SIF
=

PFD
Sensors
+ PFD
Logic Solver
+ PFD
FE
+

PFD
Power Supply

Process Safety Time (PST): The time that it takes for a hazardous situation
(such as a release) to occur after process operates beyond the trip point of the
safety instrumented function.
Proof Test: A periodic test performed on SIF components according to test
procedure for the purpose of detecting dangerous hidden failures and
ensuring that the SIF component is functioning correctly.
Proven-in-use or Prior-use: When a documented assessment has shown
that the device, based on previous operating experience in a similar
environment, is suitable for use in the ESD system.
Residual Risk: The risk remaining after protective measures have been
taken.
Risk Reduction Factor (RRF): The reduction of risk that the safety
instrumented function provides when operating in the process.
RRF = 1/ PFD
avg, SIF

Safety Availability: The fraction of time that a safety system is able to
perform its designated function when the process is operating. The safety
system is unavailable when it has failed dangerously or is in bypass. Safety
availability is equal to 1 minus the PFD
avg
of the safety instrumented function.
Safe Failure (
S
): A failure that does not place the SIF in a dangerous state.
A safe failure results in a trip or an alarm to the operator.

S
: The failure rate for a safe failure of a component.
S
=
SD
+
SU
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 7 of 35

S
= 1/(MTTF
S
)

SD
: The failure rate for a safe detected failure of a component.

SU
:

The failure rate for safe un-detected failure of a component.
Safe Failure Fraction (SFF): The fraction of all failures that cause the
device to fail to its safe state, i.e., to a trip or an alarm.
SFF = (1 -
DU
)/ =
S
+
D

Safety Instrumented Function (SIF): A safety instrumented function
consists of input devices, logic solver and final output devices. Another term
commonly used in Saudi Aramco is ESD Loop.
Safety Integrity Level (SIL): The level of overall safety availability for the
ESD safety instrumented function or an ESD system component calculated
as 1 minus the sum of the average probability of dangerous failures on
demand.

Table 1 Safety Integrity Levels (SIL)

SIL
RRF
(Risk Reduction
Factor)
PFD
avg

(Probability of
Failure on Demand)
(1/RRF)
Safety
Availability
(1-PFD
avg
)
0/a Process Control
1 10 to 100 1/10 to 1/100 90 - 99%
2 100 to 1,000 1/100 to 1/1,000 99 - 99.9%
3 1,000 10,000 1/1,000 to 1/10,000 99.9 - 99.99%

Spurious Trip Rate (STR): The rate of unscheduled shutdown of the
process occurring each year. MTTF
spurious
= 1/ STR
SIF

Test Interval (TI): The time interval in years that a proof test would be
made on a sensor, logic solver and/final control element to ascertain that the
components of a SIF are operating correctly
5 Instructions
5.1 SIL Assignment
5.1.1 General
The SIL assignment establishes the risk reduction needed for each
process system to protect against one or more hazards (such as
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 8 of 35
explosion, toxic release, leak, etc.). The risk reduction is calculated
as the gap between the existing risk posed by the process or
equipment and the risk target. Risk reduction is provided by
process and mechanical integrity, independent protection layers and
if so required safety instrumented systems (SIS).
5.1.2 Identification of Safety Instrumented Functions
Safety instrumented functions are to be identified during Project
Proposal and Detailed Design to meet:
5.1.2.1 Licensor engineering requirements and previous design
experience for similar process.
5.1.2.2 Facility or industry experience with process upsets,
incident or accident reports.
5.1.2.3 Engineering requirements of Saudi Aramco Standards.
5.1.2.4 HAZOP/PHA recommendations for process interlocks,
alarms and shutdown interlocks. A hazard and risk
assessment that identifies the hazardous events, their
causes and likelihood.
5.1.2.5 Recommendations from any process analysis such as the
study of the impact of control instrument failures,
control valve failure modes, pressure relief and flare
capacity studies, etc.
5.1.3 SIL Assignment Techniques and Software Packages
5.1.3.1 Layers of Protection Analysis (LOPA) shall be used for
SIL assignment on ESD safety instrumented functions
allocated in project proposal, detailed engineering or
those safety instrumented functions that have been
allocated within an existing facility. The Risk Matrix in
Appendix G may be used for qualitative SIL assignment
as may be required during DBSP.
5.1.3.2 Software packages which support consequence
modeling, ETA, FTA and LOPA are recommended to
assist in the documentation and consistency of the SIL
assignment process. Refer to Loss Prevention
Department/Technical Services Unit for recommended
consequence modeling packages.
5.1.4 Documentation of Calculations
All assumptions and the source of data used, consequence and
frequency model calculations and any information necessary to
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 9 of 35
support the risk assessment shall be documented and maintained
with the project documentation as specified in Appendix A of this
procedure.
5.1.5 SIL Assignment at Project Proposal and Detailed Design
5.1.5.1 SIL Assignment shall be completed in Project Proposal
and Detailed Design using the Layers of Protection
Analysis (LOPA) methodology.
5.1.5.2 The SIL Assignment study is recommended to be
conducted in parallel with the HAZOP study, but before
instrumentation and control equipment is ordered.
5.1.5.3 The consequence and frequency targets in Appendix H
are to be used for quantitative risk assessment methods
including ETA, FTA or LOPA.
5.1.5.4 SIL#4 assignments shall not be assigned for Saudi
Aramco facilities design, instead the process and
mechanical design shall be reviewed and modified to
reduce the residual risk required by a SIF to SIL#3 or
below.
5.1.6 SIL Assignment Planning
In order to follow a sound and well planned process, the following
is required in preparation for a SIL study:
5.1.6.1 The scope of the study and its limitations are to be
clearly defined including the documentation
requirements as outlined in Appendix A.
5.1.6.2 The study team must be formed by knowledgeable and
competent personnel as specified in Section 5.1.7 of this
procedure.
5.1.6.3 Assumptions and source reliability data shall be agreed
upon prior to beginning the study.
5.1.6.4 Process Flow Diagrams which show key control
instrumentation shall be available to assist the team in
over-viewing the process conditions.
5.1.6.5 Supporting design documentation required for the SIL
Assignment Study are P&ID's, the Safety Instrumented
Functions List and Cause-and-Effect Charts.
5.1.6.6 Supporting software packages should be available and
understood by the study facilitator.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 10 of 35
5.1.7 Personnel
The SIL Assignment team shall be formed, consisting of
knowledgeable and competent process engineer, instrument and
control engineer, senior operations and maintenance personnel and
LPD engineer. The facilitator of the study must have a working
knowledge of the SIL assignment process, familiar with the process
under review and the software tools being used during the study.
One or more members of the SIL Assignment team shall be
certified as a Functional Safety Engineer by TV or its equivalent.
5.1.8 Independent Protection Layers (IPL)
Independent protection layers when applied to mitigate the hazard
shall reduce the identified risk by a factor of 10 or more, be
independent, dependable and auditable. IPL risk reduction values
as shown in Appendix I shall be applied with the following
additional requirements when considering an IPL based on operator
intervention:
5.1.8.1 The operator has an adequate alarm system (i.e., alarms
are less than 280 per console operator per day).
5.1.8.2 There are written procedures stating the operator action.
5.1.8.3 The operator regularly completes the action as a drilled
exercise.
5.1.8.4 The operator can effectively respond to the alarm within
30 minutes to prevent the demand occurring on the SIF.
5.1.9 SIL Assignment Procedure using LOPA
5.1.9.1 Apply Saudi Aramco Quantitative Risk Targets in
Appendix H when using LOPA.
5.1.9.2 Use Appendix F, to document the LOPA results.
5.1.10 SIL Assignment Procedure using Risk Matrix
The Risk Matrix as provided in Appendix G may be used for a
qualitative indication of the SIL level such as in the DBSP.
5.1.10.1 Use the Risk Matrix in Appendix G to assign a SIL to
the safety instrumented functions.
5.1.10.2 Use Appendix E to document the results of the SIL
Assignment study.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 11 of 35
5.1.11 SIL Assignment for SIL#3 Functions
5.1.11.1 SIL#3 safety instrumented functions shall use fully
quantitative SIL assignment methods such as using
consequence modeling, ETA, FTA or LOPA.
5.1.11.2 Develop accident scenarios for every initiating event.
This shall be accomplished using an ETA.
5.1.11.3 Evaluate the consequences of all significant accident
scenarios using consequence modeling software.
5.1.11.4 Use Appendix H Saudi Aramco Quantitative Risk
Targets to determine the acceptable risk target
frequency.
5.1.11.5 Determine the frequency of occurrence of each accident
scenario using an FTA and/or LOPA.
5.1.11.6 Compare the frequency of occurrence of each accident
scenario against its risk target frequency. The risk
reduction required for each case is determined by the
gap between the actual risk of the process and the risk
target. Use Appendix F to document results when
LOPA is used. Otherwise provide documentation as part
of the FTA and/or QRA report.
5.1.11.7 Add all the IPLs that could reduce the risk gap. IPLs
that comply with the criteria established in Section 5.1.8
may be used.
5.1.11.8 In addition to the above, any HIPS functions shall
follow the requirements of SAEP-354.
5.2 SIL Verification
5.2.1 Documentation of Calculations
SIL Verification shall be completed during Detailed Design to
verify the SIL Assignment for each safety instrumented function
that is SIL#2 or SIL#3. All assumptions, data sources, and any
other information necessary to define the final safety availability
and spurious trip rate shall be documented and maintained with the
shutdown system documentation as required in Appendix B.
5.2.2 SIL Verification Techniques and Software Packages
Simplified Equations, Markov Models or Fault Tree Analysis may
be used as the calculation methods for safety availability and
spurious trip rate. Software packages which support these
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 12 of 35
modeling techniques are recommended to assist in the
documentation and consistency of the calculations.
5.2.3 Assumptions used in Calculations
5.2.3.1 Failure rate data shall be sourced from recognized
industry sources such as OREDA, EXIDA, third party
certified manufacturers technical data, TV reports or
those specifically stated in this procedure.
5.2.3.2 Components used in the shutdown system shall be
technically acceptable per SAES-J-002, SAES-Z-002 and
proven-in-use in Saudi Aramco facilities.
5.2.3.3 When calculating the PFD
avg
of a SIF which is energized to
trip the contribution of the power supply shall be included.
5.2.3.4 The failure rates for a logic solver shall include the input
and output module type for that safety instrumented
function.
5.2.3.5 The calculated PFD
avg
should be verified as better than
the minimum required PFD
avg
value by a factor of 25% as
shown below:
SIL#1 PFD
avg
< 7.5 E-02
SIL#2 PFD
avg
< 7.5 E-03 and
SIL#3 PFD
avg
< 7.5 E-04
5.2.3.6 Proof test intervals may be extended based on
calculations to show that the PFDavg meets the required
target SIL but up to the limits shown in Appendices J and
K or the T&I interval, whichever is less. Appendices J
and K may be used in lieu of calculating test interval
values for sensors and ZVs when a SIL has been assigned
to the safety instrumented function.
5.2.3.7 Spurious trip calculations shall take into consideration the
failure mode of the transmitter and any time delay
shutdown logic which would inhibit a spurious trip.
When a transmitter is configured to fail away from the trip
point, or the logic is such that the trip signal is bypassed or
delayed then the spurious trip is inhibited. When the
spurious trip is inhibited in this way no spurious trip rate
calculation for the transmitter is necessary.
5.2.3.8 The minimum MTTR time for a transmitter, switch, valve
or other device to be offline for repair is three shifts or
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 13 of 35
24 hours.
5.2.3.9 Partial stroke testing for valves shall use a maximum of
60% contribution to the PFDavg. Full stroke testing shall
add the remaining 40% contribution factor to the PFDavg.
5.2.3.10 Shutdowns which are initiated manually via a push/pull
button are exempt from SIL verification. These shutdown
buttons require an operator intervention that is used for
both prevention and mitigation of hazardous events.
Total Plant Shutdown, Unit Shutdown, Equipment
Isolation and Equipment Protection Systems Shutdown
which are manually initiated by the operator via push/pull
button are considered as SIL#1 safety instrumented
functions and included in the ESD system.
5.2.3.11 Sensors and final control elements used in SIL#3 SIFs
shall be voted to provide a minimum hardware fault
tolerance of 1. Acceptable sensor voting architectures in
SIL#3 SIFs are 1oo2, 2oo3 and 2oo4. Acceptable final
control element voting architectures for SIL#3 SIFs are
1oo2, 1oo3 and 2oo4.
5.2.4 SIL Verification Calculation Procedure
Refer to ISA - TR84.00.02 Part 2
5.2.4.1 Identify the safety instrumented functions and their
required SIL.
5.2.4.2 List the components of each SIF. List the dangerous
failure rates (
DD
,
DU
), beta factors (, MTTR and Test
Interval (TI) for each component.
5.2.4.3 Calculate the PFD
avg
for each combination of components
(sensors, logic solver, and final elements), then sum the
values to obtain the PFD
avg
for the safety instrumented
function.
5.2.4.4 Determine whether the PFD
avg
of the SIF meets the
required integrity assigned in the Safety Requirements
Specification.
5.2.4.5 The PFD
avg
of the SIF shall meet or exceed the
requirements of the SIL specified otherwise modify the
SIFs component selection, redundancy or voting
architecture accordingly.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 14 of 35
5.2.5 PFD
avg
Safety Availability Calculation References
5.2.5.1 See ISA TR84.00.02 Parts 1 and 2 for use of Simplified
Equations.
5.2.5.2 See ISA TR84.00.02 Parts 3 for use of Fault Tree Models.
5.2.5.3 See ISA TR84.00.02 Parts 4 for use of Markov Models.
5.2.6 Determine the PFD
avg
of Sensors
5.2.6.1 Identify the sensors, list their dangerous failure rates (
DD
,

DU
), beta factors (, MTTR and Test Interval (TI).
5.2.6.2 For dirty process conditions apply a severity factor for the
sensor failure rate effectively de-rating it for the service
conditions.
5.2.6.3 Calculate the PFD
avg
contribution of sensors in each SIF.
5.2.7 Determine the PFD
avg
of Final Control Elements
5.2.7.1 Identify the final control elements such as valves, and
each of the components including actuator solenoid valve,
positioners, pilots, boosters and limit switches, etc.
List the dangerous failure rates (
DD
,
DU
), beta factors
(, MTTR and Test Interval (TI) for the valve and
actuator assembly.
5.2.7.2 Calculate the PFD
avg
for the final control elements, for
example the valve package including valve, actuator, and
auxiliary components.
5.2.7.3 Calculate the PFD
avg
contribution for the Final Control
Elements in each SIF.
5.2.8 Determine the PFD
avg
of the Logic Solver
5.2.8.1 Identify the type and manufacturer of the logic solver
hardware.
5.2.8.2 Identify the components of the IO and logic solver
required for the safety instrumented function, e.g., for
programmable controller based systems include the IO
module and controller types.
5.2.8.3 Calculate the PFD
avg
using third party independently
validated reliability calculation tools supplied by the
Vendor or calculate the PFD
avg
as the sum of the
component failures for the logic solver.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 15 of 35
5.2.9 Determine the PFD
avg
of the Separate Field Power Supplies and
UPS
5.2.9.1 De-energize to trip safety instrumented functions will fail
to the safe state upon loss of power. When calculating the
PFD
avg
for a de-energized to trip function, the
contribution of the dangerous failure of the power
supplies may be ignored.
5.2.9.2 Energize to trip safety instrumented functions require the
power supply to be available to initiate the ESD shutdown.
When calculating the PFD
avg
for an energized to trip
function, the contribution of the dangerous failure of the
power supplies must be included. List the dangerous
failure rates (
DD
,
DU
), beta factors (, MTTR and Test
Interval (TI) for the UPS and field power supplies.
5.2.9.3 Calculate the PFD
avg
contribution for the UPS and field
power supplies.
5.2.10 Determine the Overall PFD
avg
of the SIF
5.2.10.1 Sum the contributions to the PFD for the sensors, logic
solvers, final control elements and power supplies (for
energized to trip circuits).
PFD
avg, SIF =
PFD
Sensors
+ PFD
Logic Solver
+ PFD
FE
+

PFD
Power Supplies

5.2.10.2 Determine the SIL of the safety instrumented function
from Table 1.
5.2.10.3 Confirm that the PFD
avg
meets or exceeds the SIL
assigned to the SIF.
5.2.11 Simplified Equations for PFD
avg
and STR
See ISA TR84.00.02 Parts 1 and 2 for use of Simplified Equations.
The following table is a summary of the simplified equations for
voting architectures using the same device type. The equations
assume similar failure rates for the redundant components.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 16 of 35

Table 2 Simplified Equations for Different Voting Architectures
Using the Same Device Type

Voting PFD
avg

1oo1
1oo2

1oo3

2oo2
2oo3
2oo4



Voting Spurious Trip Rate (STR)
1oo1
1oo2

1oo3

2oo2

2oo3

2oo4


Note: Include
DD
in the spurious trip rate calculation when a dangerous detected failure will place
the system into the fail safe de-energized state causing a trip.

5.3 Spurious Trip Rate (STR
SIF
)
STR calculations shall be made for ESD safety instrumented functions. ESD
safety functions shall be designed with a specified minimum MTTF
spurious

(i.e., 1/ STR
SIF
), for example greater than 5 years or the Test & Inspection
Interval.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 17 of 35
5.3.1 Documentation of Calculations
All assumptions, data sources, and any other information necessary
to define the final system availability and spurious trip rate shall be
documented and maintained with the shutdown system
documentation.
5.3.2 Assumptions used in Calculations
5.3.2.1 The cost of the end device should include the total
installed cost including engineering.
5.3.2.2 Loss of production estimates should be clearly defined
in terms of the financial loss resulting from the amount
of time the process is not operating, in turn down or
loosing product as a result of the trip.
5.3.3 STR Calculation Procedure
5.3.3.1 Identify the sensors in each SIF.
5.3.3.2 List the safe failure rates (
S
) and beta factor ( for
each sensor.
5.3.3.3 List the MTTR for each sensor.
5.3.3.4 Calculate the spurious trip rate for the combination of
sensors.
5.3.3.5 Repeat steps 5.3.3.1-4 for final control elements.
5.3.3.6 Repeat steps 5.3.3.1-4 for the logic solver and power
supplies. Calculate the spurious trip rate for the logic
solver using third party independently validated system
calculation tools supplied by the Vendor or calculate as
the sum of the component failures for the logic solver.
5.3.3.7 Sum the contributions to the STR for the sensors, logic
solvers, final control elements and power supplies (for
de-energized to trip circuits). Calculate the MTTF
spurious

for each SIF.
STR
SIF
= STR
Sensors
+ STR
Logic Solver
+ STR
Final Control Elements
+ STR
Power Supplies
5.3.3.8 Confirm that the STR
SIF
meets or exceeds the minimum
spurious trip rate specified for the SIF.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 18 of 35
5.4 Safety Requirements Specification (SRS)
As part of the Safety Requirements Specification a SIF Specification Sheet
shall be published summarizing the results of the SIL Assignment and SIL
Verification studies along with a written narrative of the shutdown
requirements. See Appendix D for an example SIF Specification Sheet.
6 Responsibilities
6.1 Saudi Aramco Project Management Team (SAPMT)
a) Allocate a knowledgeable and competent SIL Team to conduct a SIL
Assignment Study. Invite P&CSD, LPD and proponent representatives
to participate in the SIL Assignment study. See paragraph 5.1.7 for
further details.
b) Perform SIL Assignment and Verification for each safety instrumented
function per this procedure.
c) Submit the SIL Assignment report for review to appropriate Saudi
Aramco organizations.
d) Submit the SIL Verification report for review to appropriate Saudi
Aramco organizations.
e) Submit a SIF Specification Sheet for each ESD safety instrumented
function.
f) Determine quantitatively the consequence and the likelihood frequency
for all SIL#3 ESD safety instrumented functions.
6.2 Loss Prevention Department (LPD)
a) Support SAPMT and P&CSD organizations in planning and
performing SIL studies.
b) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
6.3 Process & Control Systems Department (P&CSD)
a) Support PMT and Proponent organizations in planning and performing
SIL studies.
b) Support proponent organizations in maintaining the designed integrity
of installed SIS.
c) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
d) Review all projects SIL verification reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
e) Participate in SIL Assignment Studies as requested by SAPMT.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 19 of 35
6.4 Proponent Organizations
a) Assign competent and knowledgeable operations, engineering and
maintenance personnel to participate in SIL Assignment Studies.
b) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
c) Review all projects SIL verification reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
d) Allocate resources and plan necessary equipment/facility shutdowns, to
ensure performance of periodic proof testing and maintenance along
the life cycle of the SIS during its operational life and for
decommissioning, as established in this document.
e) Ensure that the designed integrity of the SIS is maintained during the
operational life of the safety instrumented system.



Revision Summary
4 December 2012 Major revision.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 20 of 35

Appendix A Required SIL Assignment Report Contents

1. Introduction
1.1 Scope
This section shall define the scope and structure of the study, state the
process units and their ESD applications under review, and any additional
requirements specific to the SIL Assignment Study.
1.2 Objectives
This section shall define the intent of the SIL Assignment Report.
2. Definitions
This section shall provide a listing with definitions of terms and abbreviations used
in this document that are subject to interpretation by the user.
A simple translation of an abbreviation is not sufficient unless the meaning of the
translation is obvious.
3. Applicable Documents
All documents referenced within the SIL Assignment report shall be listed and
completely identified in this section.
4. Project Description
4.1 Introduction
This section shall provide an overall description of the process and the
process control system design.
4.2 SIL Study Methodology
This section shall summarize the SIL Assignment methodology of LOPA
used in the study.
5. Assumptions
State or reference all assumptions used in the quantitative and qualitative analysis in
this Section. Note any assumptions relating to the consequence and likelihood of
hazardous events.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 21 of 35

6. Data Sources and Software Package
6.1 Data Sources
State the data sources and software packages used in this Section.
6.2 Models
Reference all consequence and likelihood models completed on the facility
including toxic and flammable dispersion models, blast study models, and
transient pipeline analysis.
7. Results
7.1 Worksheet
Provide a completed LOPA worksheet (Appendix F) showing all initiated
SIFs and their respective SIL assignment.
7.2 Recommendations
Provide a summary of recommended proposals that would improve the
safety design, mitigate the process risk or reduce plant downtime.
8. Conclusions
This section provides a summary of the recommendations and any further
information to execute the engineering design. State any further information or
modeling required.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 22 of 35

Appendix B Required SIL Verification Report Contents

1. Introduction
1.1 Scope
This section shall define the scope, methodology and structure of the study,
state the process units and their ESD applications under review, and any
additional requirements specific to the SIL Verification Study.
1.2 Objectives
This section shall define the intent of the SIL Verification Report.
2. Definitions
This section shall provide a listing with definitions of terms and abbreviations used
in this document that are subject to interpretation by the user.
A simple translation of abbreviations is not sufficient unless the meaning of the
translation is obvious.
3. Applicable Documents
All documents referenced within the SIL Verification report shall be listed and
completely identified in this section.
4. System Description
4.1 Introduction
This section shall provide an overall view of the Process Automation
System, its operation and capabilities, and its intended use.
4.2 Safety Instrumented Functions
This section shall provide a list of the SIFs being considered in the
verification. The following information shall be included:
a) SIF Number and Tag Name.
b) SIL required.
c) Sensors Tag Number/s.
d) Final Element/s Tag Number/s.
e) SIS architecture confirming the required fault tolerance of the
components per IEC 61511.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 23 of 35

5. Assumptions
This section shall include all assumptions used in the calculations. These include
but not limited to:
5.1 Test Interval (TI) for instruments, logic solver and final control elements.
5.2 Common Cause Beta Factor ( for instruments, logic solver and final
control elements.
5.3 Failure rate data (
DD
,
DU
,
S
) of instrumentation, logic solver, final control
elements and power supplies.
5.4 Service factors for process instrumentation and final control elements.
5.5 The failure mode of transmitters and valves in the trip condition.
6. Data Sources and Software Package (Version)
This section provides a reference or a complete list of failure rate data (
DD
,
DU
,
S
)
used for the instrumentation and control equipment. This section also provides the
details of the software package used in SIL verification.
7. Calculation Results
This section shall show the calculation results summarized for each safety
instrumented function including those that verify the SIL and those to calculate the
spurious trip rate (STR). SIFs which have the same instrumentation may be
grouped, however, the calculations must show sufficient working so as to be
checked and reviewed.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 24 of 35

Appendix C Responsibility for Engineering

Figure 1 - SIL and Engineering Design






Conceptual
Design

DBSP
Project
Proposal

Detailed

PMT PMT

PMT
S t age- one

PHA, Hazard
Identification


SIL Assignment

Qualitative

Consequence

Risk Matrix

Stage-two



SIL Assignment
Semi-Quantitative
LOPA
Stage-three

SIL 3 Only



SIL Assignment
Quantitative

By:

Review:

PMT

P&CSD

SIS Design
SIL 1, 2, and 3
PMT
P&CSD

SIS Verification
SIL 1, 2, and 3
PMT

OPS

Installation
Validation
OME
Testing
Commiss -
ioning

&OME

P&CSD/LPD

P&CSD/LPD

P&CSD/LPD

Detailed
Design
LOPA LOPA LOPA
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 25 of 35

Appendix D SIF Specification Sheet Sample


SIF Number:
Related SIFs:
Pre-Alarm Tag:

Initiator Tag/s & Failure Mode:
Trip Set-point: Pre-Alarm Set-point:
Logic Solver Tag & Failure Mode:
Final Element Tag & Failure Mode:

Design Intent:



Demand Scenarios:
Case A:



Case B:



Consequence of Failure:
Case A:



Case B:




SUMMARY

Demand Rate D Process Safety Time
Likelihood Indices W
Consequence Values for S, E, L C
Target Risk Frequency Table H SIL Assigned
SIL ASSIGNMENT AND TEST INTERVAL

Test Interval, Years: Sensor:_______Valve:_________
PFD
avg

Overall SIL

SPURIOUS TRIP RATE
Cost of a Spurious Trip:


Sensor STR
-1
:
Final Element STR
-1
: 1/STR
SIF

Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 26 of 35

Appendix E Risk Matrix - SIL Assignment Worksheet




Facility/Project:

Process Equipment:
P&ID #s:
HAZOP References:

Date Prepared:

Date Issued::
Reviewed by:

Approved by:
SIF# Scenario Description

C
Value
S-E-L

Initiating
Cause
Demand
Frequency
D, Yr
-1


Independent Protection Layers (IPLs)
Event
Likelihood
(W)
SIL
IPL
1
IPL
2
IPL
3
IPL
4
IPL
5
IPL
6





Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 27 of 35

Appendix F LOPA SIL Assignment Worksheet


Facility/Project:

Process Equipment:
P&ID #s:
HAZOP References:

Date Prepared:

Date Issued::
Reviewed by:

Approved by:
SIF#
Scenario
Description
Appendix H
Risk Target
Yr
-1


Initiating
Cause
Demand
Frequency
D, Yr
-1


Independent Protection Layers (IPLs)
Event
Likelihood
(W)
SIL
IPL
1
IPL
2
IPL
3
IPL
4
IPL
5
IPL
6






Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 28 of 35

Appendix G Safety Integrity Level Risk Matrix

Scenario Descriptions Frequency (W)
Expected to occur in the life
of this facility
1 > 10
-2
yr
-1
1 2 3 H H
May occur in the life of this
facility
2 10
-2
- 10
-3
yr
-1
a 1 2 3 H
An event has occurred in
Saudi Aramco but not likely
in this facility
3 10
-3
- 10
-4
yr
-1
0 a 1 2 3
Some events have occurred
in the industry but not likely
in this facility
4 10
-4
- 10
-5
yr
-1
0 0 a 1 2
Rare or never heard of in
industry.
5 < 10
-5
yr
-1
0 0 0 a 1
C
0
C
A
C
B
C
C
C
D
Insignificant Low Medium High Very High
Minor Injury or
Damage to
Health
Mild to Moderate
Injury with Some
Treatment but
Medically
Manageable
Serious Illness or
Chronic
Exposure
Resulting in an
Employee
Fatality or
Significant Life
Shortening
Effects
Employee
Fatalities and
Mild Health
Impact on Third
Parties.
Multiple
Employee and
Third Party
Fatalities
No Impact
Localized Short-
Term Effect on
the Environment,
Habitats and
Species
Localized Long-
Term Effect on
the Environment,
Habitats and
Species
Severe Damage
to the Local
Environment,
Habitat, Species
Contamination
Over Large
Public Areas
with Loss of
Significant
Ecosystems
Effecting
Inhabitants,
Habitats or
Species.
Operational
Upset. Loss
Less than $1
million
Minor Damage to
Equipment and
Downtime. Loss
up to $10 million
Serious Asset
Loss, Damage to
Facility and
Downtime
Requiring Partial
Shutdown. Loss
up to $100
million
Severe Asset
Loss or Damage
to the Facility
with Appreciable
Operation Loss.
Loss up to $500
million
Significant or
Total
Destruction of
the Facility.
Asset Loss
above $500
million
SIF =Safety Instrumented Function
SIS =ESD =Safety Instrumented Function
IPL =Independent Protection Layer
Economic (L): Facility loss includes capital loss, business interruption, production
deferment, legal liability and emergency response costs.
Under No circumstances should any part of this matrix be changed or modified, adapted or customized. It is only to be used for SIL Assignment by competent
personnel. This matrix is endorsed for use across Saudi Aramco.
Notes: Abbreviations:
Safety (S): 1) Personal Safety - injury or fatality 2) Health - short term and long term
illness as a result of personal exposure to the event including exposure to land, air or water
of harmful materials.
SIL =Safety Integrity Level
Environment (E): Includes fines, rehabilitation and cleanup costs both short and long term
for affected plants and animals exposure to land, air and water.
Loss includes both Asset and Operational loss such as business interuption or loss
of product unless specifically noted.
Consequence Indices
C
o
n
s
e
q
u
e
n
c
e

D
e
s
c
r
i
p
t
i
o
n
s
Safety (S)
Environment (E)
Economic (L)
About this Risk Matrix:
Likely
Occasional
Seldom
Unlikely
Remote
C
o
n
s
e
q
u
e
n
c
e

C
a
t
e
g
o
r
i
e
s

&

I
n
d
i
c
e
s
Likelihood Descriptions (Control System and Independent
Protection Layers but not SIS)
Legend
H: High Risk Event. Redesign of the process system required.
3: A SIL 3 SIF is required.
2: A SIL 2 SIF is required
1: A SIL 1 SIF is required.
Likelihood Indices
0: No SIF required a: Alarm and/or Process Interlock

Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 29 of 35

Appendix H Quantitative Rist Targets

Risk Target
Frequency (yr
-1
)
Safety (S) Multiple Employee and Third Party Fatalities.
Environment (E)
Contamination Over Large Public Areas with Loss of Significant
Ecosystems affecting Inhabitants, Habitats or Species.
Economic (L)
Significant or Total Destruction of the Facility. Asset Loss above
$500 million.
Safety (S) Employee Fatalities and Mild Health Impact on Third Parties.
Environment (E) Severe Damage to the Local Environment, Habitat, Species.
Economic (L)
Severe Asset Loss or Damage to the Facility with Appreciable
Operation Loss. Loss (Asset and Operational) up to $500 million.
Safety (S)
Serious Illness or Chronic Exposure Resulting in an Employee
Fatality or Significant Life Shortening Effects.
Environment (E)
Localized Long-Term Effect on the Environment, Habitats and
Species. E.g. Major Oil Spill onshore of greater than 10,000 bbls,
or 5,000 bbls offshore.
Economic (L)
Serious Asset Loss, Damage to Facility and Downtime Requiring
Partial Shutdown. Loss up to $100 million.
Safety (S)
Mild to Moderate Injury with Some Treatment but Medically
Manageable.
Environment (E)
Localized Short-Term Effect on the Environment, Habitats and
Species. Eg. Medium Oil spill less than 10,000 bbls on shore and
5,000 bbls offshore.
Economic (L)
Minor Damage to Equipment and Downtime. Loss up to $10
million.
Safety (S) Minor Injury or Damage to Health.
Environment (E) No Impact.
Economic (L) Operational Upset. Loss Less than $1 million.
Safety (S)
Personal Safety- injury or fatality.
Health - short term and long term illness as a result of personal exposure to the event including exposure to land, air or water of harmful materials.
Environment (E)
Fines, rehabilitation and cleanup costs both short and long term for affected plants and animals exposure to land, air and water.
Economic (L)
Equipment repair & replacement costs
Labour costs for design, procurement, installation
Lost production, product giveaway, product qualityloss
Fines and penalties because of the failure
Clean up costs
Loss of inventory
Loss of contracts, purchase orders, business relationships
Loss of goodwill
1 x 10
-4
C
D
C
C
C
B
C
A
1 x 10
-2
C
0
1 x 10
-3
Consequence Description
1 x 10
-6
1 x 10
-5
Category Indices

Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 30 of 35

Appendix I Rule Sets for IPLs and Demand Frequency

Source Category
Risk
Reduction
S, E, L 100
S, E, L 10
S, E, L 100
S, E, L 1000
S, E, L 10
S, E, L 10 - 100
S, E, L 10
S, E, L 0
S, E, L 10
Nil 0
E 10 - 100
S, E, L 10
S 100
Nil 0
Source
Demand
Frequency
Comment
10
EXIDA
EXIDA
OREDA 1.2
OREDA 1.6
OREDA 0.5
10
100
100
10
50
10
100
100000
10000
EXIDA 40
EXIDA 40
EXIDA 20
SIF =Safety Instrumented Function
SIS =ESD =All Safety Instrumented Functions
IPL =Independent Protection Layer
Safety(S): 1) Personal Safety- injuryor fatality 2) Health - short term and long term illness
as a result of personal exposure to the event including exposure to land, air or water of
harmful materials.
Environment (E): Includes fines, rehabilitation and cleanup costs both short and long term
for affected plants and animals exposure to land, air and water.
About these Rule Sets
Magnetic drive pump seal
Loss of electrical power
Redundant utility failure (steam, instrument air, cooling water)
Loss of UPS power
Loss of redundant UPS power
Independent Protection Layer
Pressure relief valve (PZV)
Economic (L) : Facilityloss includes capital loss, business interruption, production
deferment, legal liabilityand emergencyresponse costs.
Pipe rupture due to collision
Pipe leak <10% cross section due to corrosion or maintenance
Spurious closure of a fail-safe spring return ZV
Spurious closure of a failsafe spring return motor operated ZV
Spurious failure of a MCC shutdown relay
Transmitter spurious failure
SIL 1 ESD
Demand Cause
Single or double check valve
Dikes when capable of mitigating the hazardous event
Fire Proofing when capable of mitigating the hazardous event
Blast Proofing when capable of mitigating the hazardous event
Electrical Area Classification that mitigates the impact of an ignition
Abbreviations:
SIL =Safety Integrity Level
Notes:
These rule sets are provided for guidelines in LOPA studies to calculate the scenario frequency rate (W).
Independent Protection Layer Rule Set
Demand Frequency Rule Set (Years)
SIL 2 ESD
BPCS interlock with an independent initiator (sensor) and final control element
Mechanical safety trip that are independent of the SIS or BPCS
Electrical safety trips that are hardwired and independent of the SIS or BPCS. e.g. VMS,
Hardwired interlock for pump trip to valve closure.
Operator alarm response under high stress
Operator Alarm Response under low stress, properly trained and has 30 minutes to respond
SIL 3 ESD
Single mechanical pump seal leak
Double mechanical pump seal leak
Control loop failure
Pump failure causing loss of flow
Parallel Pump Failure causing loss of flow
Centrifugal compressor trip
Switch spurious failure

Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 31 of 35


Appendix J Test Interval Guidelines - Sensors

Safety
Integrity
Level (SIL)
Sensor
Configuration
Voting Logic
Mean Time
To Repair
(MTTR),
Hours
Mean Time To
Failure (MTTF
DU
),
Years
Proof Test
Interval (TI),
Years
25 1
24 50 2.5
100 5
25 5
24 50 5
100 5
25 1/2
24 50 1
100 2
25 3
24 50 5
100 5
25
50
100 1/2
25 1
24 50 3
100 5
25
24 50
100
25 1
24 50 2
100 3
25 1/4
24 50 1/2
100 1
25 1/4
24 50 1/2
100 1
25 1/2
24 50 1
100 1
Basis:
1. Common Cause Beta Factor () =3%
2. Maximum consumption of the SIL budget by sensors =25%
3. Error Tolerance of the PFD
avg
per Section 5.2.3 =25%
4. Maximum Test Interval of 5 years except for SIL 3 which is 1 year
2oo3
3
Dual 1oo2
Triple 2oo3
Quad 2oo4
2
Single 1oo1 24
Not Recommended
Dual
1oo2
2oo2 Not Recommended
Triple
1
Single 1oo1
Dual
1oo2
2oo2
Triple 2oo3

Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 32 of 35


Appendix K Test Interval Guidelines - ZVs

Safety
Integrity Level
(SIL)
Valve
Configuration
Signal
Selection
Logic
Proof Test
Interval (TI),
Years
3
5
1
5
1/4
2
5
1
1
1
Basis:
1. Dangerous Undetected Failure Rate (1/)
DU
) =25 years
2. Common Cause Beta Factor () =5%
3. Maximum consumption of the SIL budget by ZVs =75%
4. Error Tolerance of the PFD
avg
per Section 5.2.3 =25%
5. Maximum Test Interval of 5 years except for SIL 3 which is 1 year
1oo2
2oo2
Not
Recommended
Single 1oo1
Dual
1oo2
2oo2
Triple 1oo3
Triple 1oo3
Dual 1oo2
Triple
1
2
3
Quad 2oo4
1oo3
Single 1oo1
Dual


Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 33 of 35


Appendix L Beta Factors ()

Group
5
3
6
3
5
2
1
3
3
5
3
3
3
3
5
5
Input Devices
Spring Return Fail Safe ZVs
Fire and Gas Detectors
ESD Push/ Pull Button
Proximity, Limit Switches
Safety Programmable Controller Based ESD Systems
Solid State ESD Systems
Relay Based ESD Systems
Component
Pressure, Temperature, Flow, Level Switches
Pressure, Temperature, Flow, Level Transmitters
Logic Solvers
Final Control
Elements
Fail Steady ZVs, MOVs
Double Acting ZVs
Control Valves
Pressure Relief Valves
Circuit Breaker
Relay
Wellhead SSV


Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 34 of 35

Appendix M General Notes

Introduction
Applying a risk based approach to safety instrumented functions using SIL Assignment
and Verification will validate that the design of safety systems in Saudi Aramco are
adequate to protect personnel, environment and assets against potentially hazardous
situations. In addition, the risk based approach will provide additional understanding of
the process, provide opportunities to reduce capital and maintenance costs and avoid
spurious trips.
The starting point for risk based SIL assignment is to establish tolerable risk targets, so
that the necessary risk reduction for each safety instrumented function can be
quantitatively or qualitatively determined. In some cases, other independent protective
layers may be used as credit when assessing the required safety integrity level.
In order to meet the requirements of international standards IEC 61511 it is required to:
Identify the required safety instrumented functions.
Determine the SIL for each of these functions.
Develop safety requirement specifications.
Maintain the integrity of the SIS design throughout its life.
Demonstrate the integrity of SIS with maintenance and proof testing.
Document the design, validation, maintenance and testing throughout the lifecycle
of the SIS.

The SIL Concept
The SIL concept as applied by Saudi Aramco requires the identification and design of
safety instrumented functions that adequately protect personnel and assets against the
process risk of the operating facility. The risk reduction needed is the gap between the
existing risk posed by the equipment and the Saudi Aramco tolerable risk target. This
risk reduction gap is provided by inherently safe design, mechanical integrity, and
independent protection layers. When the above measures are not sufficient to cover the
risk reduction needed, a safety instrumented function with the required SIL, appropriate
technical specification and architecture will be designed.
Document Responsibility: Process Control Standards Committee SAEP-250
Issue Date: 4 December 2012
Next Planned Update: 4 December 2017 Safety Integrity Level Assignment and Verification


Page 35 of 35

The Safety Life Cycle
The safety life cycle is a fundamental concept established by the international standards
IEC 61511. The safety life cycle represents the application of good engineering
practice to safety instrumented systems. This safety life cycle in Saudi Aramco is
depicted in the Figure 1 in Appendix C.
Good engineering practice is accomplished based on three fundamental aspects:
i) Design by Layers of Protection. Risk reduction is normally accomplished using more
than one protective system and more than one type of technology. Some of these
protective systems reduce the frequency of the hazardous scenario, whereas others
reduce the consequences. As a result, the total risk reduction is obtained from the
combination of the risk reduction factors from each individual protective system.
ii) Design Verification. The SIL for each component of the safety system is calculated
and must meet or exceed these requirements of the SIL assignment for that SIF.
This aspect provides a control and verification process that ensures that the design is
optimal and adequately protects the facility. SIS designs not covering the risk
reduction needed can be identified, and improved to meet the risk target.
iii) Maintaining Design Integrity. The safety life cycle includes inspection, testing
and maintenance planning, which addresses testing intervals and testing schedules.
Operation, maintenance and decommissioning are all part of the safety life cycle
of the safety instrumented systems.
Independent Protection Layers
Only those protection systems that meet the following criteria shall be classified as
independent protection layers, and therefore used in Saudi Aramco SIL studies.
Guidelines for IPL rules sets are found in Appendix I. These criteria are:
i) Risk Reduction. The protection provided reduces the identified risk by a large
amount, that is, a minimum of 10
-1
.
ii) Specificity. An IPL is designed solely to prevent or to mitigate the consequences of one
potentially hazardous event (for example, a runaway reaction, release of toxic material,
a loss of containment, or a fire). Multiple causes may lead to the same hazardous event;
and, therefore, multiple event scenarios may initiate action of the IPL.
iii) Independence. An IPL is independent of other protection layers associated with
the identified danger.
iv) Dependability. It can be counted on to do what it was designed to do, and that
both random and systematic failures are addressed in the design.